Zac Anger's Blog

Digital Security Guide

2019-12-19

Tags: security


Updated 2021-04-07.

Originally posted at the ProleSoft blog, moved here rather than duplicated for maintainability.

Most major tech companies sell your data to advertisers and governments. You need to stay safe online, so you should be careful about what you use and how you use it.

All the recommendations here are just that: recommendations. Most users will not need to follow everything in this guide. Technology changes quickly, so some recommendations here may be out of date. Use your best judgement and trust what security experts say (and use your best judgement on which security experts to trust!).

General

You should try to avoid anything hosted in, or owned by, a company in the US. You should also use end to end encryption wherever possible. When possible, you should use open-source software. This is not just an ideological statement; it's much harder for major security flaws, back doors, and bad practices to make their way into or survive in software when the source code is frequently read by hundreds or thousands of people, than in an equivalent piece of software built and maintained behind closed doors.

Don't use your real name, real address, or information that could be linked to your identity in sensitive situations. This includes social media, photos, email addresses, location, and anything else that could be linked to your identity. If you host a website, use WHOIS privacy protection.

Unionizing

This section is not a guide on unionizing, just security recommendations.

Do not use company Email, Messaging (Slack, Hipchat, etc.), phones, computers, networks, or other resources for organization. A simple rule of thumb is: If the company pays for it, don't use it. You have no protection under labor law if you do. Check your company handbook/policies to see what they can access or claim they can access, because you may also want to avoid organizing on your own devices during work hours. Follow the other recommendations in this guide for what apps and services to use, especially when it comes to messaging and email.

Passwords

Prefer random passwords generated by a password manager like KeePassXC, Bitwarden, or some other cryptographically secure password generator. Never reuse passwords anywhere, and rotate your passwords regularly.

If you absolutely must use a password you can remember (such as for your computer account or disk encryption, prefer long passphrases over passwords. Check for password/phrase security here, and check regularly to see if your data has been involved in a leak here (Firefox has this feature built in now). You can also check both your password security and its leak status on this tool.

Encryption

Using GnuPG (an implementation of PGP) takes some practice, but is worth it for encrypting files manually and sending encrypted emails. Check out this guide to getting up and running with GPG.

For encrypting directories, use gocryptfs, Cryptomator, or a similar piece of open source software. Never use closed-source encryption software

OS

Prefer almost any OS over Windows. Windows is buggy, full of telemetry (read: Microsoft Spyware), and insecure. If you're tech savvy, learning Linux is a good route. You could try Xubuntu as a good starter distro. If you're very tech-minded, you could try OpenBSD or FreeBSD. Mac OS is also a better choice than Windows, but comes with some of the same vendor lock in (and a huge price tag).

For extreme needs, you should look into Tails or Qubes.

Whichever OS you use, you absolutely need to enable Full-Disk Encryption

For mobile, both iOS and Android are okay options, as long as you keep them up to date and don't install anything requiring permissions it shouldn't need. In the Android world, you could also look into Lineage, UBPorts (Ubuntu Phone fork), and other hobbyist OSs and phones.

Browsers

Avoid Chrome. Google's business model is surveillance, and their browser exists to collect your data. Also avoid Internet Explorer (it's unmaintained and insecure), Microsoft Edge (because of the telemetry), and anything closed-source or proprietary (which rules out Opera and Vivaldi).

Do not visit sites over HTTP unless you absolutely have to. Even if the site doesn't collect your data. Just don't do it. Some browsers have settings to enforce this, but for the rest, there are extensions such as HTTPS Everywhere.

Email

Avoid Google, Microsoft, Yahoo, and other US companies. Also try to avoid companies that want your real name. Protonmail is in Switzerland and has a free plan. Tutanota also has a free plan, and is in Germany. See the links at the bottom of the page for more recommendations.

Messaging

You need end-to-end encrpytion for anything sensitive. This means your communications should be encrypted in transit (TLS 1.2 is the only thing you should accept as of early 2020), and also encrypted at rest (on the server where they're stored) without the company running the messaging platform being able to read them. If communications are not E2EE, you should treat them as if they're public.

Use Signal for an SMS/KakaoTalk/WhatsApp alternative, and Riot/Matrix for group chat.

MFA

Enable MFA wherever possible. Authy is a convenient MFA app that isn't tied to a specific device or external (Google, Apple) account. For a hardware device, check out YubiKey.

Use Swisscows or Metager if possible. DuckDuckGo and Startpage are also decent options, but are run by companies in the US, so are not completely trustworthy. You could also run your own Searx or YaCy search engine.

Media

Use youtube-dl to get videos and music from almost any website, and Invidious to watch YouTube videosin the browser. You can play media locally with MPV.

DNS

Change your default DNS provider, which is probably your ISP or Google, to something like BlahDNS or SecureDNS. See the links at the bottom of the page for more recommendations. Avoid DNS providers hosted or run in the US, providers that have logging, and providers that do not have DNSSEC. You can also use Pi-hole, Unbound, or other systems to block trackers, ads, and other bad IPs. Lists to get you started are available here.

VPN

Use a VPN with no logging, that is not hosted or run by a company in the US:

Documents

Avoid proprietary and exploitable formats. That means no Microsoft Word doc/docx and no PDFs if possible. Plain text formats (txt, md, html, etc.) allow reading through any application and limit the chance of executing arbitrary code. Use plain text editors that are open source and not made by major US companies (avoid Google Docs, VS Code, Atom, etc.) as much as you can, and use LibreOffice when you can't. Encrypt any documents that contain sensitive data, like information that could be used to identify someone, schedules, and addresses.

Sync

Dropbox is a US company, and stores your data on their servers. Prefer a self-hosted alternative like Seafile, Syncthing, Syncany, or SparkleShare. Encrypt any sensitive files.